What is the CVSS score of CVE-2026-46645?

CVE-2026-46645 has a CVSS 3.1 base score of 4.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N.

Is there a patch available for CVE-2026-46645?

Yes, a patch is available for CVE-2026-46645. Update the affected software to the latest version immediately.

sqladmin CVE-2026-46645

Q: Which versions of sqladmin are affected by CVE-2026-46645?

{identity}/ajax/lookup` enforced neither prior to patching. No public exploit has been identified at time of analysis, and this CVE is not listed in CISA KEV.. A patch is available.

MEDIUM

Missing Authorization (CWE-862)

2026-05-21 https://github.com/smithyhq/sqladmin

GHSA-54mc-gghv-4cfj

Authentication Bypass

4.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

Source Code Evidence Fetched

May 21, 2026 - 22:44 vuln.today

Analysis Generated

May 21, 2026 - 22:44 vuln.today

DescriptionNVD

Impact

The ajax_lookup endpoint in application.py bypasses the is_accessible() access control check that all other endpoints enforce.

If a developer restricts model access by overriding is_accessible(), an authenticated user can still query that model's data through the ajax_lookup endpoint - silently bypassing the restriction.

Affected endpoint:

GET /{identity}/ajax/lookup?name=<field>&term=<query>

All other endpoints enforce both checks:

Endpoint	`@login_required`	`is_accessible()`
`list`	✓	✓
`create`	✓	✓
`edit`	✓	✓
`delete`	✓	✓
`details`	✓	✓
`export`	✓	✓
`ajax_lookup` (before fix)	✗	✗
`ajax_lookup` (after fix)	✓	✓

Note: before this fix, ajax_lookup also lacked the @login_required decorator - unauthenticated users could query it directly. That was addressed in #1035. This report covers the remaining gap: authenticated but unauthorized users.

Patches

Two changes were made to ajax_lookup:

Replaced the hand-rolled authentication check added in #1035 with the standard @login_required decorator used by all other endpoints.
Added the missing is_accessible(request) check, raising HTTP 403 when it returns False.

Workarounds

None. Developers relying on is_accessible() to restrict model visibility are exposed regardless of what other access controls are in place.

AnalysisAI

{identity}/ajax/lookup enforced neither prior to patching. No public exploit has been identified at time of analysis, and this CVE is not listed in CISA KEV.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-46645 vulnerability details – vuln.today

Back

sqladmin CVE-2026-46645

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

Impact

Patches

Workarounds

AnalysisAI

Full analysis requires sign-in

Share

External POC / Exploit Code